AWS Certified Solutions Architect – Professional — Question 684

A large company runs workloads in VPCs that are deployed across hundreds of AWS accounts. Each VPC consists of public subnets and private subnets that span across multiple Availability Zones. NAT gateways are deployed in the public subnets and allow outbound connectivity to the internet from the private subnets.
A solutions architect is working on a hub-and-spoke design. All private subnets in the spoke VPCs must route traffic to the internet through an egress VPC. The solutions architect already has deployed a NAT gateway in an egress VPC in a central AWS account.
Which set of additional steps should the solutions architect take to meet these requirements?

Answer options

• A. Create peering connections between the egress VPC and the spoke VPCs. Configure the required routing to allow access to the internet.
• B. Create a transit gateway, and share it with the existing AWS accounts. Attach existing VPCs to the transit gateway. Configure the required routing to allow access to the internet.
• C. Create a transit gateway in every account. Attach the NAT gateway to the transit gateways. Configure the required routing to allow access to the internet.
• D. Create an AWS PrivateLink connection between the egress VPC and the spoke VPCs. Configure the required routing to allow access to the internet.

Correct answer: B

Explanation

AWS Transit Gateway acts as a centralized cloud router, making it the ideal solution for scaling hub-and-spoke network architectures across hundreds of AWS accounts. Sharing a single transit gateway and attaching all VPCs allows central management of egress traffic through the NAT gateway in the egress VPC. VPC peering does not support transitive routing, PrivateLink is designed for accessing specific services rather than general internet egress, and creating a transit gateway in every account is redundant and incorrect.